guloader | 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
Size

759KB
MD5

e1dc71be5b3466d47a4934013be9b604
SHA1

4c6627a901ade3b1f0cd6a233085deb7e044ef97
SHA256

1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53
SHA512

a44f75ea0eac848dd2b724b9a50fb5b0259382f61a047563689381e3a60fc07547c209b2acdddcb1dae371cdf51f0065e2a89ff0276299c0d72928af87c9aafc
SSDEEP

12288:GtomEHbPQsIbw8Z9TzDBWzowh0Nxj5gUZVroN64V23i3Qo+eSp5:TN7PXIdZlDBWUrx5gAVroNFHzU

Score

10^/10

guloader remcos remotehost collection discovery downloader rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

162.251.122.87:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-UOMZ21
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 9 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/1984-602-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1984-603-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1004-592-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/612-601-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/612-600-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1984-598-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1004-594-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1004-611-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/612-619-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/612-601-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/612-600-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/612-619-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1004-592-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1004-594-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1004-611-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Loads dropped DLL 2 IoCs

pid	Process
2108	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
2108	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2108	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2108 set thread context of 824	2108	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	31
PID 824 set thread context of 1004	824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	33
PID 824 set thread context of 612	824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	34
PID 824 set thread context of 1984	824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1004	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
1004	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2108	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 824	2108	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	31
PID 2108 wrote to memory of 824	2108	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	31
PID 2108 wrote to memory of 824	2108	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	31
PID 2108 wrote to memory of 824	2108	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	31
PID 2108 wrote to memory of 824	2108	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	31
PID 2108 wrote to memory of 824	2108	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	31
PID 824 wrote to memory of 1004	824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	33
PID 824 wrote to memory of 1004	824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	33
PID 824 wrote to memory of 1004	824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	33
PID 824 wrote to memory of 1004	824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	33
PID 824 wrote to memory of 612	824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	34
PID 824 wrote to memory of 612	824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	34
PID 824 wrote to memory of 612	824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	34
PID 824 wrote to memory of 612	824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	34
PID 824 wrote to memory of 1984	824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	35
PID 824 wrote to memory of 1984	824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	35
PID 824 wrote to memory of 1984	824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	35
PID 824 wrote to memory of 1984	824	1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe	35

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
  "C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
    C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\yedbjfft"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1004
- - C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
    C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\jzitkxqnclu"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:612
- - C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
    C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\lbomlqboytmtxg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
6bc00224ba03e285df5e30c501463803

SHA1
61fda1c1cf15227e35283f3f746bb203e4d19137

SHA256
cf425e31b41a2dd76d747a216f658da4803c58b1b66205951d37e1190325d6e7

SHA512
7cce6068b336a9c95bc73b145e95983fbf32eb53a41135d6d06daf77b8eb8edf42b8de12538a8ae275fd0516818214a9b3ed52da424003aba796131d33fa1167

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdBE18.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoBE08.tmp

Filesize
56B

MD5
24c65563d17054b07c6135e87a53cffd

SHA1
4765777312bf6c4c7272e61b4dbbce3202bb2d68

SHA256
e145085a50e8790798362058aa0b197b97b8ae38a54ff47ee89fd00dec4f47ce

SHA512
f6419106a5e5d864da20840817f473556140fc982e271380c3eed2a5be03c2dc68fb69ab1b2ba5698dec4ca477377e53c589f9b280faf436dd94767e5d0cb15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstBD8A.tmp

Filesize
29B

MD5
5b2357aa9ee8d93ebc8fea2a7da01fda

SHA1
3a5bb5ceeeb26ee649ce9c8fa1c47e45d8c8f00a

SHA256
f2b723416cc41c59b870a8fbbe8ecab3cd0cf2298902649a50668b1b88e6e835

SHA512
03d9cbca3d09de197530779f90b8864da4a34aa50a7dc87fdd964ac53a5a6a73f543fe5727fc2df29b9cf5b3646b1ffc60b90883148c1989fdbcee5658582fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstBD8A.tmp

Filesize
60B

MD5
33714fd37d9159cf4911fe47896b9e69

SHA1
77c9ddfb1cd8e4a9a0a9131d0d21ebac0ef57611

SHA256
8eda392d2cd028b1a3385ff7673cade57e402248db7fe7eb192e8d6b0d8f78a2

SHA512
e4abaa9b5e706647dfe0174daa5164d0464f7ee971c5ee2983e28a4d2062eda2d0d9468340ebdbe6110b33958a9b3256757c3e5557b3ef617fe76ce576b8ba0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyBC70.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yedbjfft

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\nsjBC60.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
memory/612-593-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/612-619-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/612-597-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/612-600-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/612-601-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/824-651-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/824-581-0x0000000077AB0000-0x0000000077C59000-memory.dmp

Filesize
1.7MB

Download
memory/824-636-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/824-584-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/824-633-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/824-630-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/824-627-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/824-583-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/824-642-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/824-639-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/824-645-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/824-648-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/824-624-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/824-621-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/824-617-0x0000000031F00000-0x0000000031F19000-memory.dmp

Filesize
100KB

Download
memory/824-614-0x0000000031F00000-0x0000000031F19000-memory.dmp

Filesize
100KB

Download
memory/824-654-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/824-618-0x0000000031F00000-0x0000000031F19000-memory.dmp

Filesize
100KB

Download
memory/1004-599-0x0000000077AB0000-0x0000000077C59000-memory.dmp

Filesize
1.7MB

Download
memory/1004-589-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1004-594-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1004-611-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1004-592-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1004-591-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1984-598-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1984-596-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1984-603-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1984-602-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1984-595-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2108-582-0x0000000003DF0000-0x0000000004C79000-memory.dmp

Filesize
14.5MB

Download
memory/2108-580-0x0000000003DF0000-0x0000000004C79000-memory.dmp

Filesize
14.5MB

Download
memory/2108-579-0x0000000077AB0000-0x0000000077C59000-memory.dmp

Filesize
1.7MB

Download
memory/2108-578-0x0000000077AB1000-0x0000000077BB2000-memory.dmp

Filesize
1.0MB

Download
memory/2108-577-0x0000000003DF0000-0x0000000004C79000-memory.dmp

Filesize
14.5MB

Download